Chinese Hackers Breach US Internet Firms Through Startup, Lumen Says

China’s state-sponsored hacking campaign known as Volt Typhoon is exploiting a bug in a California startup to hack into American and Indian internet companies, according to security researchers.

Volt Typhoon breached four U.S. firms, including Internet service providers, and another in India through a vulnerability in a Versa Networks server product, according to Lumen Technologies Inc.’s Black Lotus Labs unit. Their assessment, much of which was published in a blog post on Tuesday, found with “moderate confidence” that Volt Typhoon was behind the unpatched Versa systems vulnerabilities and said the exploit was likely ongoing.

Versa, which makes software that manages network configurations, has attracted investment from Blackrock Inc. and Sequoia Capital, announced the bug last week and provided a patch and other mitigations.

The disclosure will add to concerns about the susceptibility of critical US infrastructure to cyber attacks. The US this year accused Volt Typhoon of infiltrating networks that operate critical US services, including some of the country’s water, power grid and communications sectors, to cause disruptions during a future crisis, such as be an invasion of Taiwan.

Lumen shared its findings with Versa in late June, according to Lumen and supporting documentation shared with Bloomberg.

Versa, based in Santa Clara, Calif., said it issued an emergency patch for the bug in late June, but only began widely reporting the problem to customers in July after being notified by one who claimed to have been infringed. Versa said that customer, which it did not identify, did not follow previously published guidance on how to protect its systems through firewall rules and other measures.

Dan Maier, Versa’s chief marketing officer, said in an email Monday that those 2015 guidelines included advising customers to shut down Internet access on a specific port, which the customer did not follow. Since last year, he said, Versa has now taken its own steps to make the system “secure by default,” meaning customers will no longer be at risk, even if they haven’t followed the company’s guidelines.

The bug has a “high” severity rating, according to the National Vulnerability Database. On Friday, the Cybersecurity and Infrastructure Security Agency, known as CISA, ordered federal agencies to patch Versa products or stop using them by September 13.

The vulnerability was exploited in at least one known instance by a sophisticated hacking group, Versa said in a blog post on Monday. The company did not identify the group, and on Friday, Versa told Bloomberg it did not know the identity.

Microsoft Corp. named and unveiled the Volt Typhoon campaign in May 2023. Since its discovery, US officials have urged companies and utilities to improve their registration to help hunt down and root out hackers, who use vulnerabilities to get into systems and then go undetected . for long periods of time.

The Chinese government has rejected the US accusations, saying the hacking attacks attributed to Volt Typhoon are the work of cybercriminals.

CISA director Jen Easterly told Congress in January about the malicious cyber activity, warning that the U.S. has only discovered the tip of the iceberg when it comes to casualties and that China’s goal is to be able to plunge the U.S. into “societal panic.”

US agencies, including CISA, the National Security Agency and the FBI, said in February that Volt Typhoon’s activity dates back at least five years and targeted communications, energy, transportation systems, water and wastewater systems.

Lumen first identified the malicious code in June, according to Lumen researcher Michael Horka. A malware sample uploaded from Singapore on June 7 bore the hallmarks of Volt Typhoon, he said in an interview.

Horka, a former FBI cyber investigator who joined Lumen in 2023 after working on the Volt Typhoon cases for the federal government, said the code was a web shell that allowed hackers to gain access to a customer’s network through legitimate credentials and then act as if it were. bona fide users.

Top Photo: Gamers compete in computer games at the Nvidia booth during the Electronic Entertainment Expo E3 at the Los Angeles Convention Center on June 13, 2017 in Los Angeles, California. (Photo by Christian Petersen/Getty Images).

Copyright 2024 Bloomberg.